Training & Learning

I realized while attending my first Dallas Hackers of 2020 and meeting some veterans (@ApolloDev0 & @teufelsec75) in the Vet Tec program, a newer VA initiative to get Veterans filling IT and Information Security roles to fill the gap we have right now in the world, that I have access to recruiters and the ability to possibly employ (at least interview and assist in steering) young veterans in their career.

I also realized on the way home, and after a tweet, that a lot of people want to know about free and even paid resources for Infosec, IT, etc. So I’m creating a 2 part list:
1. A list for everyone of free and paid resources
2. A list for Veterans

Everyone:

Offensive-Security
https://www.vulnhub.com/entry/metasploitable-1,28/
(Metasploitable v1)
https://www.vulnhub.com/entry/metasploitable-2,29/
(Metasploitable v2)
https://github.com/rapid7/metasploitable3
(Metasploitable v3)
https://www.offensive-security.com/metasploit-unleashed/
(Metasploitable v4)
OSCP Write-up (Blade Soriano)
OSCP Write-up (John J Hacking)

@g0tmi1k’s Blog
Access Cyber Resources List
Acunetix Blog
aGupieWare Online
Archive.org
Applied Network Defense
AWS Training
Automate The Boring Stuff
Azeria Labs
Checkmarx
Application Security Beginner Guide

BHIS (Black Hills Information Security) Cyber Range
CISA Training
Coalfire – Basics of Exploit Development
Code7 (Text based adventure game)
Code.org
CodeAcademy
Corelan Team Training
Cornerstone
CrucialExams Practice Exams
Cybrary.it
Cyber Fast Track
Data Camp
Danger Zone
DFIR Diva
DFIR Madness – IR Training
DFIR.training
Educba Online Training
Ehacking Academy
eLearn Security
Eloquent Javascript
Evasion Techniques Checkpoint
ExamCompass Practice Exams
Explain Shell
Exploit DB
Exploit Development
Fortinet
Foxglove Security
Free Code Camp
FRSecure’s CISSP Mentor Program
Future Learn
GoCertify Practice Exams
Google’s IT Professional Certificate
Hacksplaining
Hack In The Class Labs
Hack The Box
Harvard University’s CS50 Introduction to Computer Science
HighOn.Coffee
Incident Response Challenge
Incident Response Consortium
InfosecMatter
Infosec Resources
Internet Archive
IronGeek’s Blog
John J Hacking Blog
KitPloit
Lains Space – Exploit Exercises
Learn Code The Hard Way
Learn Ruby
Lifehacker’s List of Free Computer Science College Courses
Lifehacker’s List of Free Educational Apps & Sites (Covid-19 response)
Machine Learning & Data Books
Malware Unicorn
Malware Must Die
Many Hats Club
Microsoft Learn
Minded Security
MIT Free Courses
Nessus Training
NetMux
NetSecFocus
NICCS Education and Training Catalog
NIST Resources
NodeSchool
NodeUniversity
Npower Tech Fundamentals Program
Open Culture
Open Learn University
Open Security Training
OpCode
OpSecX
OSINT
OWASP Slack
Palo Alto Networks
Pentest Geek
Picademy
PluralSight
PortSwigger
Praetorian Security Blog
Professor Messer
Project Nayuki
Project Python
PTES
PyBites
Python Programming
Qualys Training
red|blue
RegExr
Reverse Engineering Training
Reverse Engineering Malware Training
Root Me
RouterPWN
SANS Cyber Aces
SANS CyberSecurity Career Seekers
^^^^(Veteran specific program included)
SANS TryHackMe Xmas
Samurai WTF (Web Testing Framework)
SecTechno
Security & Pentest Resources
SecurityTube
Security Blue Team
She Hacks Purple
Social Engineering
Splunk Fundamentals Part 1
Stackskills
Standford University Advanced Computer Security Material
Sundowndev / Hacker Roadmap
Swift Playground (Mac & iPad)
Tenable Training
The Cyber Mentor
Thor Teaches
TrustedSec
Udemy
University of Cincinnati Malware RE Course
VulnHub
Web Hacking
Wild West Hackin Fest
Windows Images (Legal)
WithYouWithMe
Women in Cyber Security
Z-Lib


Veterans:

AWS Educate
CBT Nuggets
Cisco Networking Academy Training
Cisco Veterans Cyber Scholarship Program
CyberVets USA
Facebook Cybersecurity University
FedVTE
Fortinet FortiVet Program
Hack For Troops
Microsoft Software and Systems Academy
Milton Security Veteran Job Program
MWR Online Resources
NICCS Education and Training Catalog
O20 (Onward to Opportunity)
OpCode
Palo Alto
Second Watch Veteran Training Program

Splunk Fundamentals 2
SANS CyberAces
SANS CyberTalent
Immersion Academy

Tech For Troops
USO Pathfinder
USO Skillsoft
VeteranSec
Warrior 2 Cyber Warrior
Women in Cyber Security
With You With Me

Social Engineering 101 or The Art of How You Got Owned By The Random Stranger

So it’s been forever since I have posted. I have been busy between leaving the military, school, and having a REAL job now. Today I had the privilege of speaking at the Second Annual Cyber Security Conference for Collin College hosted by North Texas ISSA. Below is a copy of my presentation from that conference.

http://www.slideshare.net/StevenHatfield1/social-engineering-101-or-the-art-of-how-you-got-owned-by-that

Also, I was able to speak last month at NAISG DFW on this same topic. The talk was set for a somewhat less professional environment, as it was a lot of friends, and that version of the talk is below.

http://www.slideshare.net/StevenHatfield1/social-engineering-101-or-how-that-total-stranger-just-owned-you

Comments Off on Social Engineering 101 or The Art of How You Got Owned By The Random Stranger Posted in Uncategorized

John the Ripper Intro

First off, thanks to @hacktalkblog and @nberthaume with all the help they have given me with JtR and Hashcat. This post will be a basic rundown (with a couple of advanced parts) for people just starting in the world of hash cracking.

Let me start off with saying I use cygwin because I run Windows 7 since I fail and refuse to throw a linux OS as my main. Meh. You only have to slightly alter these commands, I believe, to not incorporate cygwin.

cat *dictionaryfilelocation* | ./john –stdin –format:raw-*format* –pot=*filename*.pot –session=*name* –crack-status *hashfilelocation*

The above command should be pretty simple to understand but I will break it down just in case. Everything inside the ** is what you must set yourself.

For me, I use cat /cygdrive/b/*. That means I’m catting everything on my b drive (which is reserved for my wordlists). You only need to do this if you have MULTIPLE dictionary files that you want JtR to run through and test against.

Next is –stdin which is just saying to accept that information is being piped into JtR.

Format:raw-*format* is you inputting whatever format the hashes you want to crack are in. In most cases they will be MD5 or Sha1 from what I’ve seen in the past few months from dumps.

Your pot file is where the cracked hashes will be output to. These will be put to the same directory as JtR. The output will look something like:

$dynamic_0$5fed917b9bb2d6ace789576b239901bd:1Q2W3E4R5T6Y7U8I9O0P

The session=*name* is used for a couple reasons:

  1. So that you can pause the cracking session and resume it later
  2. So that you can run multiple JtR sessions without a hassle

Crack-status will output as such:

guesses: 3  time: 0:00:07:58  c/s: 127406M  trying: EHARMONY1Wannabethe1 – EHARMONY1azreal

Lastly for this command is the *hashfilelocation*. In my case it is:


/cygdrive/c/Users/username/Desktop/Pass\ Cracking/crackme/filename.txt

I keep all of the dumps I gather in that crackme directory for ease.

There is a few other ways to run JtR. I’ll touch on running rules with the same general command above:

cat *dictionarylocation* | ./john –pipe –format:raw-*format* –pot=*filename*.pot –session=*name* –rules=*rule* –crack-status *hashfilelocation*

The change to the above command is –pipe. I’m not sure why you have to run pipe instead of stdin when running rules, but that’s the only way I’ve been able to get it to working.

Along with that, you also have the rules=*rule* command now. If you look here than you’ll see a quick rundown of rules. The easiest rule to use is of course rules=Single. I have found it extremely useful to also create your own rules based off the website name and run those. For me, I add rules to the john.ini file located in the run folder of JtR. I’ll give an example below:

[List.Rules:Nvidia]

# Nvidia Passwords

A0″[nN][vV][iI1][dD][iI1][aA4]”

Az”[nN][vV][iI1][dD][iI1][aA4]”

If you do a quick glance through the john.ini file you will see where you can add these rules. To create your own follow the same basic guide above. List.Rules:*rulename* must be put as whatever you want it to be typed as in the command. The # is of course just a comment about what the rule is. A0 is to append everything and Az prepends. What word is being played with is Nvidia. It will adjust everything with every possible combination you see per bracket. I’ll show how I did my Linkedin rules for the recent Linkedin dump:

[List.Rules:Linkedin]

# Linkedin Passwords

A0″[lL1][iI1][nN][kK][eE3][dD][iI][nN]”

Az”[lL1][iI1][nN][kK][eE3][dD][iI][nN]”

The same principal applies to the Linkedin rule we create with the above.